|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "BPF STX Kernel Write Exploit"
m (Underscore in the name.) |
|||
| (6 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| + | {{DISPLAYTITLE:BPF_STX Kernel Write Exploit}} |
||
bpf has a little virtual machine that executes packet filters. The machine includes a "scratch area" which is stored as an array on the stack. There are two instructions that write to that array: |
bpf has a little virtual machine that executes packet filters. The machine includes a "scratch area" which is stored as an array on the stack. There are two instructions that write to that array: |
||
| Line 22: | Line 23: | ||
This allows arbitrary locations on the stack to be modified. |
This allows arbitrary locations on the stack to be modified. |
||
| − | This bug was actually fixed in FreeBSD |
+ | This bug was actually fixed in FreeBSD. [http://svn.freebsd.org/viewvc/base/head/sys/net/bpf_filter.c?r1=182380&r2=182379&pathrev=182380] |
| + | |||
| + | {{stub|exploit}} |
||
| + | [[Category:Exploits]] |
||
Latest revision as of 19:25, 30 May 2013
bpf has a little virtual machine that executes packet filters. The machine includes a "scratch area" which is stored as an array on the stack. There are two instructions that write to that array:
case BPF_ST:
mem[pc->k] = A;
continue;
case BPF_STX:
mem[pc->k] = X;
continue;
bpf_validate runs first to check the program, and handles BPF_ST correctly, but forgets to handle BPF_STX:
/*
* Check that memory operations use valid addresses.
*/
if ((BPF_CLASS(p->code) == BPF_ST ||
(BPF_CLASS(p->code) == BPF_LD &&
(p->code & 0xe0) == BPF_MEM)) &&
p->k >= BPF_MEMWORDS)
return 0;
This allows arbitrary locations on the stack to be modified.
This bug was actually fixed in FreeBSD. [1]
|
This exploit article is a "stub", an incomplete page. Please add more content to this article and remove this tag. |
